7/26/2019 IMAToolsTechniquesMay07[1]
1/34
Statements on Management Accounting
E N T E R P R I S E R I S K A N D C O N T R O L
C R E D I T S
T I T L E
IMAwould like to acknowledge the work of William G.
Shenkir, Ph.D., CPA, and Paul L. Walker, Ph.D., CPA, both
of the McIntire School of Commerce, University of
Virginia, who were the authors of this SMA. Thanks also
go to Tim Leech of Paisley Consulting and COSO board
member Jeff Thomson of IMA who served as reviewers
and Raef Lawson, Ph.D., CMA, CPA, of IMA who serves
as series editor.
ENTERPRISE RISK MANAGEMENT:TOOLS AND TECHNIQUES FOR
EFFECTIVE IMPLEMENTATION
Published byInstitute of Management Accountants10 Paragon DriveMontvale, NJ 07645-1760www.imanet.org
Copyright 2007 by Institute of ManagementAccountants
All rights reserved
7/26/2019 IMAToolsTechniquesMay07[1]
2/34
Statements on Management Accounting
T A B L E O F C O N T E N T S
Enterprise Risk Management: Tools andTechniques for Effective Implementation
E N T E R P R I S E R I S K A N D C O N T R O L
I. Executive Summary . . . . . . . . . . . . . . . . 1
II. Introduction . . . . . . . . . . . . . . . . . . . . . 1
III. Scope . . . . . . . . . . . . . . . . . . . . . . . . . .2
IV. Risk Identification Techniques . . . . . . . . .3
Brainstorming . . . . . . . . . . . . . . . . . . . . .4
Event Inventories and Loss Event Data . . .5
Interviews and Self-Assessment . . . . . . . .6
Facilitated Workshops . . . . . . . . . . . . . . .7
SWOT Analysis . . . . . . . . . . . . . . . . . . . .7
Risk Questionnaires and Risk Surveys . . .8
Scenario Analysis . . . . . . . . . . . . . . . . . .8
Using Technology . . . . . . . . . . . . . . . . . .9
Other Techniques . . . . . . . . . . . . . . . . . .9
V. Analysis of Risk by Drivers . . . . . . . . . . .10
VI. Risk Assessment Tools . . . . . . . . . . . . .11
Categories . . . . . . . . . . . . . . . . . . . . . .12
Qualitative vs. Quantitative . . . . . . . . . .12Risk Rankings . . . . . . . . . . . . . . . . . . . .13
Impact and Probability . . . . . . . . . . . . . .13
Keys to Risk Maps . . . . . . . . . . . . . . . .14
Link to Objectives at Risk or Divisions
at Risk . . . . . . . . . . . . . . . . . . . . . . . . .15
Residual Risk . . . . . . . . . . . . . . . . . . . .16
Validating the Impact and Probability . . .17
Gain/Loss Curves . . . . . . . . . . . . . . . . .17
Tornado Charts . . . . . . . . . . . . . . . . . . .18
Risk-Adjusted Revenues . . . . . . . . . . . . .18
A Common Sense Approach to Risk
Assessment . . . . . . . . . . . . . . . . . . . . .19Probabilistic Models . . . . . . . . . . . . . . .19
Seemingly Nonquantifiable Risks . . . . . .20
VII. Practical Implementation Considerations 23
ERM Infrastructure . . . . . . . . . . . . . . . .23
ERM Maturity Models . . . . . . . . . . . . . .23
Staging ERM Adoption for Early Wins . . .24
The Role of the Management Accountant 25
ERM Education and Training . . . . . . . . .25
Technology . . . . . . . . . . . . . . . . . . . . . .25
Aligning Corporate Culture . . . . . . . . . . .26
Building a Case for ERM . . . . . . . . . . . .26
The ROI of ERM . . . . . . . . . . . . . . . . . .27X. Conclusion . . . . . . . . . . . . . . . . . . . . .27
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Reference List . . . . . . . . . . . . . . . . . . . . . .28
Additional Resources . . . . . . . . . . . . . . . . . .28
7/26/2019 IMAToolsTechniquesMay07[1]
3/34
Statements on Management Accounting
T A B L E O F C O N T E N T S
Exhibits
Exhibit 1: A Continuous Risk Management
Process . . . . . . . . . . . . . . . .2
Exhibit 2: Industry Portfolio of Risks . .5
Exhibit 3A-D: Risk Identification Template 6-7
Exhibit 4: Influence Diagram . . . . . . .10
Exhibit 5: Quantifying Risk: Determine the
Drivers . . . . . . . . . . . . . . .11
Exhibit 6: Qualitative and Quantitative
Approaches to Risk
Assessment . . . . . . . . . . .12
Exhibit 7: Risk Map . . . . . . . . . . . . . .13
Exhibit 8: Risk Map Model . . . . . . . . .14
Exhibit 9: Gain/Loss Probability Curve 16
Exhibit 10: : Tornado Chart: Earnings
Variability by Sample Risks .17
Exhibit 11: Actual Revenue vs. Risk-
Corrected Revenue . . . . . . .18
Exhibit 12: Goals of Risk Management .19
Exhibit 13: : Earnings at Risk by Risk
Factor . . . . . . . . . . . . . . . .20
Exhibit 14: Earnings at Risk Hedge
Effectiveness Comparisons .21
Exhibit 15: Expected Earnings and EaR 21
Exhibit 16: Probability Assessment of
Earnings Outcomes . . . . . .22
Exhibit 17: ERM Maturity Model . . . . . .24
Enterprise Risk Management: Tools andTechniques for Effective Implementation
E N T E R P R I S E R I S K A N D C O N T R O L
7/26/2019 IMAToolsTechniquesMay07[1]
4/34
I . EXECUTIVE SUMMARYEnterprise risk management (ERM) takes a
broad perspective on identifying the risks that
could cause an organization to fail to meet its
strategies and objectives. In this Statement on
Management Accounting (SMA), several tech-
niques for identifying risks are discussed and
illustrated with examples from company experi-
ences. Once risks are identified, the next issue
is to determine the root causes or what drives
the risks. A suggested approach is describedand followed by a discussion of several qualita-
tive and quantitative procedures for assessing
risks. Some practical ERM implementation con-
siderations are also explored, including infra-
structure and maturity models, staging adoption,
the role of the management accountant, educa-
tion and training, technology, aligning corporate
culture, building a case for ERM, and the ROI of
ERM. Any organizationlarge or small; public,
private, or not-for-profit; U.S.-based or global
that has a stakeholder with expectations for
business success can benefit from the tools andtechniques provided in this SMA.
I I . I NTROD UCT IO NIn the economic landscape of the 21st century,
an organizations business model is challenged
constantly by competitors and events that could
give rise to substantial risks. An organization
must strive to find creative ways to continuously
reinvent its business model in order to sustain
growth and create value for stakeholders.
Companies make money and increase stakehold-
er value by engaging in activities that have some
risk, yet stakeholders also tend to appreciate
and reward some level of stability in their expect-
ed returns. Failure to identify, assess, and man-
age the major risks facing the organizations
business model, however, may unexpectedly
result in significant loss of stakeholder value.
Thus, senior leadership must implement
processes to manage effectively any substantial
risks confronting the organization. This dual
responsibility of growing the business and man-
aging risk has been noted by Jeffrey Immelt,
Chairman and CEO at General Electric Co., when
he described his position at GE: My job is to fig-
ure out how to grow and manage risk and volatil-
ity at the same time.1
While leaders of successful organizations have
always had some focus on managing risks, it typ-ically has been from a reactive exposure-by-
exposure standpoint or a silo approach rather
than a proactive, integrated, across-the-
organization perspective. Under a silo approach,
individual organizational units deal with their own
risks, and often no single group or person in the
organization has a grasp of the entire exposure
confronting the company (especially the overall
organizations reputation risk). To correct such
a situation, enterprise risk management (ERM)
has emerged in recent years and takes an inte-
grated and holistic view of the risks facing theorganization.
This SMA is the second one to address enter-
prise risk management. The first, Enterprise Risk
Management: Frameworks, Elements, and
Integration, serves as the foundation for under-
standing and implementing ERM. It highlights
the various risk frameworks and statements that
professional organizations around the world
have published. In addition, it discusses and
illustrates through company experiences the
core components of a generic ERM framework. It
also points out some entrepreneurial opportuni-
ties for change within an organization (with spe-
cific leadership roles for the management
accountant articulated) when ERM is incorporat-
ed in such ongoing management activities
1
E N T E R P R I S E R I S K A N D C O N T R O L
1 Diane Brady, General Electric, the Immelt Way,Business Week, September 11, 2006, p. 33.
7/26/2019 IMAToolsTechniquesMay07[1]
5/34
as strategic planning, the balanced scorecard,
budgeting, business continuity planning, and cor-
porate governance. Finally, it takes up the issue
of transitioning from compliance under the
Sarbanes-Oxley Act (SOX), where the focus is on
risks related to financial reporting, to an
enterprise-wide perspective on risks, including
strategic risks.
I I I . SCOPEThis SMA is addressed to management account-
ing and finance professionals who serve as
strategic business partners with management in
the implementation of ERM in their organization.
Others within the organization responsible for
risk management, information technology, and
internal audit will also find this SMA useful.
Like many other change initiatives going on with-
in dynamic organizations, ERM provides an
opportunity for management accounting and
finance professionals to alter how they are per-
ceived by others in the organization. By becom-
ing a strategic partner in ERM implementation,
they can be seen as bean sprouters of new
management initiatives rather than merely bean
counters. They also can move from being the
historians and custodians of accounts to futuris-
tic thinkers. They can become coaches and play-
ers in a new management initiative important to
the future overall well-being of the company
2
E N T E R P R I S E R I S K A N D C O N T R O L
SET STRATEGY/
OBJECTIVES
IDENTIFY
RISKS
ASSESS
RISKS
TREAT
RISKS
CONTROL
RISKS
COMMUNICATE
& MONITOR
EXHIBIT 1. A CONTINUOUS RISK MANAGEMENT PROCESS
Source: Adapted from Institute of Chartered Accountants in England and Wales, No Surprises: The Case
for Better Risk Reporting, ICAEW, London, U.K., 1999, p. 47.
7/26/2019 IMAToolsTechniquesMay07[1]
6/34
rather than merely scorekeepers on what has or
has not been accomplished.2
The focus of this SMA is on core tools and tech-
niques to facilitate successful ERM implementa-
tion. While other tools and techniques can be
found in the Additional Resources section, this
document emphasizes those that are critical for
most ERM initiatives. Since all organizations
have stakeholders with ever increasing expecta-
tions, the tools and techniques discussed hereare generally relevant to:
large and small organizations,
enterprises in the manufacturing and services
sectors,
public and private organizations, and
for-profit and not-for-profit organizations.
I V. R ISK IDENTIF ICAT IONTECHNIQUESExhibit 1 shows the generic ERM framework pre-
sented in Enterprise Risk Management:
Frameworks, Elements, and Integration. The ini-tial focus is on clarity of strategies and objec-
tives. The focal point for risk identification may
be at any level, such as the overall company, a
strategic business unit, function, project,
process, or activity. Without clear objectives it is
impossible to identify events that might give rise
to risks that could impede the accomplishment
of a particular strategy or objectiveregardless
of the scope of the inquiry. Assuming those
involved in identifying risks have a clear under-
standing of the strategies and objectives, the
appropriate questions to ask, as suggested by
one companys senior enterprise risk manager,
are: What could stop us from reaching our top
goals and objectives? and What would materi-
ally damage our ability to survive? These ques-
tions can be modified for the appropriate level of
inquiry.
In the risk identification process, those involved
should recognize that it is a misperception to
think of a risk as a sudden event.3 Identifying
an issue that is facing the organization and dis-cussing it in advance can potentially lead to the
risk being mitigated. Two benefits are possible:
One, if you mitigate the risk and your
peers do notin a catastrophic, continu-
ity-destroying event that hits an indus-
trysay a financial scandalyou get
what is called the survivors bonus. Two,
if you survive or survive better than oth-
ers, then you have an upside after the
fact, and this should be part of the
boards strategic thinking.4
Before considering some of the specific tech-
niques available for organizations to identify
risks, several important factors should be noted
about this process:
The end result of the process should be a risk
language specific to the company or the unit,
function, activity, or process (whatever is the
focal point);
Using a combination of techniques may pro-
duce a more comprehensive list of risks than
would reliance on a single method;
The techniques used should encourage open
and frank discussion, and individuals should
not fear reprisal for expressing their concerns
3
E N T E R P R I S E R I S K A N D C O N T R O L
2 The authors acknowledge that the ideas in this paragraphabout the changing role of financial professionals weretaken from a presentation heard some years ago (uncertainas to date and place) and given by Jim Smith of The MarmonGroup, Inc. While the original remarks were not given in thecontext of ERM, they have been adapted accordingly.
3 Corporate Board Member, 2006 Academic CouncilSupplement: Emerging Trends in Corporate Governance,
Board Member, Inc., Brentwood, Tenn., p. 20.
4 Ibid.
7/26/2019 IMAToolsTechniquesMay07[1]
7/34
about potential events that would give rise to
risks resulting in major loss to the company;
The process should involve a cross-functional
and diverse team both for the perspectives
that such a group provides and to build com-
mitment to ERM; and
Finally, the process will probably generate a
lengthy list of risks, and the key is to focus on
the vital few rather than the trivial many.
Some techniques for identifying risk are: Brainstorming
Event inventories and loss event data
Interviews and self-assessment
Facilitated workshops
SWOT analysis
Risk questionnaires and risk surveys
Scenario analysis
Using technology
Other techniques
Brainstorming
When objectives are stated clearly and under-stood by the participants, a brainstorming ses-
sion drawing on the creativity of the participants
can be used to generate a list of risks. In a well-
facilitated brainstorming session, the partici-
pants are collaborators, comprising a team that
works together to articulate the risks that may
be known by some in the group. In the session,
risks that are known unknowns may emerge, and
perhaps even some risks that were previously
unknown unknowns may become known.
Facilitating a brainstorming session takes spe-
cial leadership skills, and, in some organiza-
tions, members of the internal audit and ERM
staff have been trained and certified to conduct
risk brainstorming sessions. In addition to well-
trained facilitators, the participants need to
understand the ERM framework and how the
brainstorming session fits into the ERM process.
The participants may very well be required to do
some preparation prior to the session.
In using this technique, one company familiar to
the authors noted that because the objectives
were unclear to some of the participants, the
process had to back up and clarify the objectives
before proceeding. Using a cross-functional
team of employees greatly increases the value of
the process because it sheds light on how risks
and objectives are correlated and how they canimpact business units differently. Often in brain-
storming sessions focused on risk identification,
a participant may mention a risk only to have
another person say: Come to think of it, my area
has that risk, and I have never thought of it
before. With the team sharing experiences,
coming from different backgrounds, and having
different perspectives, brainstorming can be suc-
cessful in identifying risk. It is also powerful
when used at the executive level or with the
audit committee and/or board of directors.
In a brainstorming session, the participants
must have assurance that their ideas will not
result in humiliation or demotion. Otherwise,
they may feel inhibited in expressing what they
believe are major risks facing the organization.
As an example, a set of often overlooked risks
are people risks vs. environmental risks, finan-
cial risks, and other more technical risks. People
risks include succession planning (What if our
very competent leader departs the organiza-
tion?) and competency and skills building (What
if we continue with a team that does not have
the requisite skills for success?). Once a list of
risks is generated, reducing the risks to what the
group considers the top few can be accom-
plished using group software to enable partici-
pants to anonymously vote on the objectives and
risks. Anonymity is believed to increase the
veracity of the rankings. Some of the interactive
4
E N T E R P R I S E R I S K A N D C O N T R O L
7/26/2019 IMAToolsTechniquesMay07[1]
8/34
voting software that could be used in the risk
identification process includes Sharpe
Decisions, Resolver*Ballot, OptionFinder, and
FacilitatePro. With the availability of interactive
voting software and Web polling, the brainstorm-
ing session might be conducted as a virtual
meeting with participants working from their
office location, also enabling them to identify
and rank the risks anonymously.
Event Inventories and Loss Event Data
Seeding or providing participants with some form
of stimulation on risks is very important in a
brainstorming session. One possibility is to pro-
vide an event inventory for the industry (see
Exhibit 2) or a generic inventory of risks.
Examples of the latter are readily available from
various consulting firms and publications.5 In
the first SMA on ERM, a general risk classifica-
tion scheme is given that could also be used to
seed the discussion. In a brainstorming ses-
sion or facilitated workshop (discussed below),
the goal is to reduce the event inventory to those
relevant to the company and define each risk
specific to the company. The risk identification
process can also be seeded by available loss
5
E N T E R P R I S E R I S K A N D C O N T R O L
EXHIBIT 2. INDUSTRY PORTFOLIO OF RISKS
Source: Debra Elkins, Managing Enterprise Risks in Global Automatic Manufacturing Operations,
presentation at the University of Virginia, January 23, 2006. Permmission granted for use.
5 Economist Intelligence Unit, Managing Business RisksAn Integrated Approach, The Economist Intelligent Unit, NewYork, 1995.
7/26/2019 IMAToolsTechniquesMay07[1]
9/34
event data. A database on relevant loss events
for a specific industry can stimulate a fact-
based discussion.6
Interviews and Self-Assessment
This technique combines two different process-
es. First, each individual of the organizational or
operating units is given a template with instruc-
tions to list the key strategies and/or objectives
within his or her area of responsibility and the
risks that could impede the achievement of the
objectives. Each unit is also asked to assess its
risk management capability using practical
framework categories such as those contained
in the ERM framework from the Committee of
Sponsoring Organizations of the Treadway
6
E N T E R P R I S E R I S K A N D C O N T R O L
6 Committee of Sponsoring Organizations of the TreadwayCommission (COSO), Enterprise Risk ManagementIntegrated Framework: Application Techniques, AICPA, NewYork, 2004, p. 28.
EXHIBIT 3A. RISK IDENTIFICATION TEMPLATE
EXHIBIT 3B. MAJOR STRATEGIES/OBJECTIVES FOR YOUR UNIT
EXHIBIT 3C. MAJOR RISKS FOR YOUR UNIT
Please list the major strategies and/or objectives for your area of responsibility.
Please list the major risks your unit faces in achieving its objectives. List no more than 10 risks.
Please assess the overall risk management capability within your area of responsibility to seize opportunities
and manage the risks you have identified.
Please list the major strategies/objectives for your unit.
Please list the major risks your unit faces in achieving your objectives. List no more than 10 risks.
7/26/2019 IMAToolsTechniquesMay07[1]
10/34
Commission (COSO). A sample template is pre-
sented in Exhibits 3A-D. The completed docu-
ments are submitted to the ERM staff or coordi-nator, which could be the CFO, controller, COO, or
CRO (chief risk officer). That group follows up
with interviews to clarify issues. Eventually, the
risks for the unit are identified and defined, and
a risk management capability score can be
determined from a five-point scale, as used in
Exhibit 3D. This technique might also be used in
conjunction with a facilitated workshop.
Facilitated Workshops
After the information is completed and collected,
a cross-functional management team from the
unit or from several units might participate in a
facilitated workshop to discuss it. Again, using
voting software, the various risks can be ranked
to arrive at a consensus of the top five to 10, for
example. As noted previously, using interactive
voting software allows the individuals to identify
and rank the risks anonymously without fear of
reprisal should their superior be a member of the
group.
SWOT Analysis
SWOT (strengths-weaknesses-opportunities-
threats) analysis is a technique often used in the
formulation of strategy. The strengths and weak-
nesses are internal to the company and include
the companys culture, structure, and financial
and human resources. The major strengths of
the company combine to form the core compe-
tencies that provide the basis for the company to
achieve a competitive advantage. The opportuni-
ties and threats consist of variables outside the
company and typically are not under the control
of senior management in the short run, such as
the broad spectrum of political, societal, environ-
mental, and industry risks.
7
E N T E R P R I S E R I S K A N D C O N T R O L
EXHIBIT 3D. RISK MANAGEMENT CAPABILITY
*The categories are taken from COSO, Enterprise Risk ManagementIntegrated Framework: Executive Summary,
AICPA, New York, 2004.
Use the following categories* to assess the overall risk management capability within your area of responsi-bility to seize opportunities and manage risks using the scale at the bottom of the page.
Internal Environment VL L M H VH
Objective Setting VL L M H VH
Event Identification VL L M H VH
Risk Assessment VL L M H VH
Risk Response VL L M H VH
Control Activities VL L M H VH
Information/Communication VL L M H VH
Monitoring VL L M H VH
What is your level of concern with respect to the overall risk management capability of your area of
responsibility to seize opportunities and manage risks? Please circle the most appropriate response:
VL= Very Low L=Low M=Medium H=High VH=Very High
7/26/2019 IMAToolsTechniquesMay07[1]
11/34
For SWOT analysis to be effective in risk identifi-
cation, the appropriate time and effort must be
spent on thinking seriously about the organiza-
tions weaknesses and threats. The tendency is
to devote more time to strengths and opportuni-
ties and give the discussion of weaknesses and
threats short shrift. Taking the latter discussion
further and developing a risk map based on con-
sensus will ensure that this side of the discus-
sion gets a robust analysis. In a possible acqui-
sition or merger consideration, a company famil-iar to the authors uses a SWOT analysis that
includes explicit identification of risks. The writ-
ten business case presented to the board for the
proposed acquisition includes a discussion of
the top risks together with a risk map.
Risk Questionnaires and Risk Surveys
A risk questionnaire that includes a series of
questions on both internal and external events
can also be used effectively to identify risks. For
the external area, questions might be directed at
political and social risk, regulatory risk, industryrisk, economic risk, environmental risk, competi-
tion risk, and so forth. Questions on the internal
perspective might address risk relating to cus-
tomers, creditors/investors, suppliers, opera-
tions, products, production processes, facilities,
information systems, and so on. Questionnaires
are valuable because they can help a company
think through its own risks by providing a list of
questions around certain risks. The disadvan-
tage of questionnaires is that they usually are
not linked to strategy.
Rather than a lengthy questionnaire, a risk sur-
vey can be used. In one company, surveys were
sent to both lower- and senior-level manage-
ment. The survey for lower management asked
respondents to List the five most important
risks to achieving your units goals/objectives.
The survey to senior management asked partici-
pants to List the five most important risks to
achieving the companys strategic objectives.
The survey instruments included a column for
respondents to rank the effectiveness of man-
agement for each of the five risks listed, using a
range of one (ineffective) to 10 (highly effective).
Whether using a questionnaire or survey, the
consolidated information can be used in conjunc-
tion with a facilitated workshop. In that session,
the risks are discussed and defined further.
Then interactive voting software is used to nar-row that risk list to the vital few.
Scenario Analysis
Scenario analysis is a particularly useful tech-
nique in identifying strategic risks where the sit-
uation is less defined and what-if questions
should be explored. Essentially, this technique is
one way to uncover risks where the event is high
impact/low probability.7 In this process,
Managers invent and then consider, in
depth, several varied stories of equally
plausible futures. The stories are careful-ly researched, full of relevant detail, ori-
ented toward real-life decisions, and
designed (one hopes) to bring forward
surprises and unexpected leaps of
understanding.8
Using this technique, a cross-functional team
could consider the long-term effects resulting
from a loss of reputation or customers or from
the lack of capability to meet demand. Another
relevant question to ask is, What paradigm
shifts in the industry could occur, and how would
they impact the business?
8
E N T E R P R I S E R I S K A N D C O N T R O L
7 Deloitte & Touche LLP, The Risk Intelligent Enterprise: ERMDone Right, Deloitte Development LLC, 2006, p. 4.8 Peter Schwartz, The Art of the Long View, CurrencyDoubleday, New York, 1991, p. xiii.
7/26/2019 IMAToolsTechniquesMay07[1]
12/34
The risk management group of one company
uses scenario analysis to identify some of its
major business risks.9 One risk for this company
is an earthquake. Its campus of more than 50
buildings is located in the area of a geological
fault. From a holistic perspective, the loss from
an earthquake is not so much the loss of the
buildings but the business interruption in the
product development cycle and the inability to
serve customers. The companys risk manage-
ment group analyzed this disaster scenario withits outside advisors and attempted to quantify
the real cost of such a disaster, taking into
account how risks are correlated. In the process,
the group identified many risks in addition to
property damage, including:
Director and officer liability if some people
think management was not properly prepared,
Key personnel risk,
Capital market risk because of the firms
inability to trade,
Worker compensation or employee benefit
risk, Supplier risks for those in the area of the
earthquake,
Risk related to loss of market share because
the business is interrupted,
Research and development risks because
those activities are interrupted and product
delays occur, and
Product support risks because the company
cannot respond to customer inquiries.10
This example reveals the value of using scenario
analysis: A number of risks are potentially pres-
ent within a single event, and the total impact
could be very large. Another scenario that this
companys risk management group analyzed was
a stock market downturn (or bear market). The
group also defined five or six other scenarios.
Under each one, it identified as many material
risks as could be related to the scenario and
developed white papers on each one for execu-
tive management and the board.11
Using Technology
The risk identification process can also utilize
the companys existing technology infrastructure.For example, most organizations utilize an
intranet in their management processes. The
group responsible for a companys ERM process
can encourage units to place their best risk prac-
tices on the ERM site. Risk checklists, anec-
dotes, and best practices on the intranet serve
as stimulation and motivation for operating man-
agement to think seriously about risks in their
unit. Also, tools that have been found particular-
ly useful to various units can be catalogued. As
new projects are launched, business managers
are encouraged to consult the risk managementgroups intranet site.
Another use of technology is to recognize the
companys potential risk that resides with the
Internet. For example, a companys products, ser-
vices, and overall reputation are vulnerable to
Internet-based new media like blogs, message
boards,e-mailing lists, chat rooms,and independ-
ent news websites. Some companies devote
information technology resources to scan the
blogosphere continuously for risks related to the
companys products, services, and reputation.
Other Techniques
Other possible approaches for identifying risks
include value chain analysis, system design
review, process analysis, and benchmarking with
9
E N T E R P R I S E R I S K A N D C O N T R O L
9 Thomas L. Barton, William G. Shenkir, and Paul L.Walker, Making Enterprise Risk Management Pay Off,Financial Executives Research Foundation, Upper SaddleRiver, N.J., 2001, pp. 132-135.
10 Ibid., p. 133. 11 Ibid., p. 133.
7/26/2019 IMAToolsTechniquesMay07[1]
13/34
other similar as well as dissimilar organizations.
Also, external consultants can add value in the
risk identification process by bringing in knowl-
edge from other companies and industries and by
challenging the companys list of identified risks.
V. ANALYSIS OF RISK BYDRIVERSAfter a risk is identified, the temptation to quan-
tify it before further analysis is completed should
be avoided. Additional understanding of the
risks potential causes is required by the ERM
team and management before its impact can be
quantified. Working with the various units of the
organization that own parts of the risk, the ERM
team should drill into the risk to uncover what is
beneath the surface and to get a better under-
standing of the potential risk drivers. An influ-
ence diagram or root cause analysis can be
developed using scenario analysis. This can be
done by using supporting documentation and
interviewing those who own parts of the risk.
Exhibit 4 presents an influence diagram for a
strategic risk provided by a senior manager of
ERM at a major company. In this exhibit, a chain
of likely events within a given scenario is spelled
out where a strategic riskrevenue target not
methas been identified.
Studying Exhibit 4, the inquiry to determine the
likely drivers in a scenario for the risk of not meet-
ing the revenue target could be the following:
Failure to sell a new product;
The new machinery and equipment purchased
for making the new product was not selected
properly because of a process breakdown in
the acquisition. This led to manufacturing fail-
ures attributed to product design problems,
10
E N T E R P R I S E R I S K A N D C O N T R O L
Revenue target
not met
Capital
expense
Failure to
sell new
product
Supply
chain
failure
Loss of top
customer(s)
High defect
rate Catastrophic
event
Decrease in
inventory
Error in product
planning or
design
Mfg.
selection
mistake
Misalignment of
BUs
Process
breakdown
Failure to have
BCP plan
Breakdown in
goal process
= a key risk driver
Mfg. failure
Develop Influence Diagram and
Quantify the Risk Drivers:
Define root causes and main drivers
of the risks. Define the chain of
events in likely scenario. Drivers
should be small enough in scope
that they can be quantified.
EXHIBIT 4. INFLUENCE DIAGRAM
7/26/2019 IMAToolsTechniquesMay07[1]
14/34
which led to a high rate of product defect;
Failure in the supply chain impacted the ability
to meet the revenue target. A catastrophic
event occurred at a major supplier, and thebusiness continuity plan recognized this event
too late to find alternative suppliers;
Together, the above events would result in los-
ing some top customers because high-quality
products could not be delivered when required;
furthermore, in digging deeper, some misalign-
ment of specific goals might exist in the silos
involved. For example, manufacturing might
have a goal of cutting cost; customer service
naturally will want low defects in the products;
the pricing function will be seeking high mar-
gins for the products; and the sales force is
motivated to generate revenue.
With an in-depth understanding of how the
strategic risk could occur, more information is
now available to assist in quantifying the risk.
This information can be framed as noted in
Exhibit 5 in order to begin estimating the impact.
The point of this analysis is to understand the
level at which quantification can best occur. If
the risk is quantified at too high a level, it could
be too broad or not actionable. Using a buildingblock approach around risk drivers facilitates the
quantification process. At the end of the
process, however, quantification is still an esti-
mate and should be viewed as merely providing
an order of magnitude of the impact.
VI . R ISK ASSESSMENT TOOLSRisks must be identified correctly before an
organization can take the next step. Assessing
the wrong list of risks or an incomplete list of
risks is futile. Organizations should make every
possible effort to ensure they have identified
their risks correctly using some or all of the
approaches discussed. The act of identifying
risks is itself a step on the risk assessment
road. Any risks identified, almost by default, have
some probability of influencing the organization.
11
E N T E R P R I S E R I S K A N D C O N T R O L
Do NOT
tryto quantifyat
theselevels
Maingoalsand
Objectives
(revenuemissed)
Risk#1
to achieving
goalsand
objectives(failureto sell)
Risk#2
to achieving
goalsand
objectives
Risk#3
to achieving
goalsand
objectives
Quantifyrisksat
thislevelor below
Driverof
Risk#1Driverof
Risk#1
Driverof
Risk#2
Driverof
Risk#2
Driverof
Risk#3
Driverof
Risk#3
EXHIBIT 5. QUANTIFYING RISK: DETERMINE THE DRIVERS
7/26/2019 IMAToolsTechniquesMay07[1]
15/34
Categories
Once risks are identified, some organizations
find it helpful to categorize them. This may be a
necessity if the risk identification process pro-
duces hundreds of risks, which can be over-
whelming and seem unmanageable. Risk cate-
gories include hazard, operational, financial, and
strategic. Other categories are controllable or
noncontrollable and external or internal.
Categorizing risk requires an internal risk lan-
guage or vocabulary that is common or unique to
the organization in total, not just to a particular
subunit or silo. Studies have shown that an
inconsistent language defining risks across an
organization is an impediment to an effective
ERM strategy. Risk terms would certainly vary
between a pharmaceutical company and a tech-
nology company or between a nonprofit and an
energy company. Several risks could be grouped
around a broader risk, such as reputation risk.
Other methods for categorizing risk can be finan-
cial or nonfinancial and insurable or noninsur-
able. Some companies also categorize risks as
quantifiable or nonquantifiable.
Qualitative vs. Quantitative
As Exhibit 6 shows, risk assessment techniques
can vary from qualitative to quantitative. The
qualitative techniques can be a simple list of all
risks, risk rankings, or risk maps. A list of risks
is a good starting point. Even though no quanti-
tative analysis or formal assessment has been
applied to the initial list of risks, the list and
accompanying knowledge is valuable. Some
12
E N T E R P R I S E R I S K A N D C O N T R O L
QualitativeRisk identification
Risk rankings
Risk maps
Risk maps with
impact and likelihood
Risks mapped to objectives or divisions
Identification of risk
correlations
Qualitative/
QuantitativeValidation of risk impact
Validation or risk likelihood
Validation of correlations
Risk-corrected revenues
Gain/loss curves
Tornado chartsScenario analysis
Benchmarking
Net present value
Traditional measures
QuantitativeProbablistic techniques
cash flow at risk
earnings at risk
earnings distributions
eps distributions
Level of difficulty and amount of data required
EXHIBIT 6. QUALITATIVE AND QUANTITATIVE APPROACHES TO RISK ASSESSMENT
7/26/2019 IMAToolsTechniquesMay07[1]
16/34
risks on the list may not be quantifiable. For
these risks, identifying them and adding them to
a priority list may be the only quantification pos-
sible. Organizations should not be concerned
that they cannot apply sophisticated modeling to
every risk.
Risk Rankings
Once an organization has created its list of risks,
it can begin to rank them. Ranking requires the
ERM team to prioritize the risks on a scale of
importance, such as low, moderate, and high.
Although this seems unsophisticated, the results
can be dramatic. Organizations find considerable
value in having conversations about the impor-
tance of a risk. The conversations usually lead to
questions about why one group believes the risk
is important and why others disagree. Again, this
process should use a cross-functional risk team
so that perspectives from across the entire
organization are factored into the rankings. This
is a critical task requiring open debate, candid
discussion, and data (e.g., tracking, recording,
and analysis of historical error rates on a busi-
ness process) where possible.
Impact and Probability
The importance of an event includes not just its
impact but also its likelihood of occurring.Therefore, many ERM organizations generate risk
maps using impact and probability. In ERM imple-
mentation, companies not only generate risk
maps to capture impact and likelihood but also
to demonstrate how risks look when put togeth-
er in one place. The value of the map is that it
reflects the collective wisdom of the parties
involved. Furthermore, risk maps capture consid-
erable risk information in one place that is easi-
ly reviewed. A basic risk map, such as in Exhibit
7, captures both impact and likelihood.
When assessing likelihood or probability, the
ERM team can use a variety of scales:
Low, medium, or high;
Improbable, possible, probably, or near certain-
ty; and
Slight, not likely, likely, highly likely, expected.
The same is true for assessing impact:
13
E N T E R P R I S E R I S K A N D C O N T R O L
High Impact
Low Likelihood
High Impact
High Likelihood
Low Impact
Low Likelihood
Low Impact
High Likelihood
High
Low HighLikelihood of Occurrence
Impact
EXHIBIT 7. RISK MAP
7/26/2019 IMAToolsTechniquesMay07[1]
17/34
Low, medium, or high impact;
Minor, moderate, critical, or survival; and
Dollar levels, such as $1 million, $5 million,
etc.
When qualitatively assessing these risks, it is
also possible to estimate ranges. For example, a
company might determine that there is a low
probability of a customer-related risk having an
impact of $100 million, a moderate probability
(or best guess) of a $50 million impact, and a
high probability of a $10 million impact. For
example, when Apple announced its entrance
into the cell phone market, other cell phone mak-
ers likely began making calculations to gauge
the risk of the new entrant into their market.
Risk maps can help an organization determine
how to respond to a risk. As organizations see
the greater risks, they can plan a response. For
example, one risk map approach used by a com-
pany is shown in Exhibit 8. For risks that are in
14
E N T E R P R I S E R I S K A N D C O N T R O L
CriticalityofAchievement
Process/Business
LevelImpact
Segment/Intersegment
LevelImpact
LevelImpact
6 Yellow (Level III)
Close monitoring
for increased
impact and/or
variability
8 Red (Level IV)
Segment
Commitment
Reported to
Segment
Leadership
Close monitoring
of risk action plan
9 Red (Level V)
Commitment
Reported to Audit
Committee
Reported to
Segment Leadership
Close monitoring of
risk action plan
3 Green (Level II)
High-level
monitoring for
increased impact
and/or variablity
5 Yellow (Level III)
Close monitoring
for increased
impact and/or
variability
7 Red (Level IV)
Segment
Commitment
Reported to Segment
Leadership
Close monitoring
of risk action plan
1 Green (Level I) 2 Green (Level II) 4 Yellow (Level III)
High-level
monitoring for
increased impact
and/or variablity
High-level
monitoring for
increased impact
and/or variablity
Close monitoring
for increased
impact and/or
variability
Low
(Consistentlywithin tolerable
variance in key
metric improvement
or target)
Moderate High
(Sometimeswithin tolerable
variance in key
metric improvement
or target)
(Mostly outside oftolerable
variance in key
metric improvement
or target)
Actual/Potential Performance Variability Around Targets
Achievement of Objective/Execution of Process/
Implementation of Change/Management of Risk
EXHIBIT 8. RISK MAP MODEL
7/26/2019 IMAToolsTechniquesMay07[1]
18/34
the lower levels of impact and probabilitythe
green zone on the mapa company should
respond with high-level monitoring. For risks with
higher levels of impact and probabilitythe red
zone on the mapa company should take a
stronger response and a higher level of commit-
ment to managing them.
Keys to Risk Maps
Several keys need to be considered when gener-
ating risk maps: confidentiality, definitions, time-frame, direction, and correlations. Organizations
may want to consider doing impact and probabil-
ity in a confidential manner. As noted previously,
software tools are available to facilitate confiden-
tial sharing. On the other hand, some companies
find that openly sharing assessments within the
group is acceptable. Even with confidentiality,
good risk facilitators can bring out the risk
source and root problems.
Definitions used during the risk map generation
are critical. What is important to one work unitor individual may not seem important to anoth-
er. If organizations measure impact in dollars,
the dollars must be without ambiguity. Does the
risk influence dollars on one product, dollars for
a certain division, or earnings per share?
Similarly, improbable might be interpreted by
some to be 1% while others could think it means
15%. These definitions and terms should be
clearly established before the risk map sessions
are conducted.
Closely related to definitions are timeframes,
which need to be established up front so that
any understanding of the risk and its impact is
clear as to when it will affect the organization. An
assessment of risk at one point in time has the
same failings as strategic plans and objectives,
which do not take a longer-term perspective on
market trends, customer needs, competitors,
etc. What seems important today or this week
may not seem important in five years. Similarly,
although some longer-range risks may not seem
important today, these risks could threaten the
organizations survival if left unmanaged.
Some organizations find it valuable to capture
the direction of the risk. This can be labeled on
the risk map or communicated separately.
Direction of risk can be captured using terms
such as increasing, stable, or decreasing.Related to the risk direction is the risk trend.
Knowing the direction and trend of a risk as well
as its dollar impact and likelihood can be crucial
to managing that risk. For example, risk trends
can reveal that the risk was decreasing over the
last several years but has increased recently.
One weakness in risk maps (and in silo risk man-
agement) is that maps do not capture any risk cor-
relations. Ignoring risk correlations can lead to inef-
fective and inefficient risk management. Risk cor-
relations can be considered for financial risks ornonfinancial risks. Clearly, how some companies
manage one foreign currency exposure should be
considered with how they manage another foreign
currency exposure. Managing these in silos (with-
out an enterprise-wide approach) can be inefficient
because dollar exposures to only the yen or euro
ignore that the yen and euro are correlated.
Similarly, silo risk management would ignore the
fact that the movement of interest rates could
influence an organizations pension obligations
and debt obligations differently. As another exam-
ple, how an organization manages commodity
exposure today should be factored in with how it
plans to change its long-term strategy to manage
that same exposure. Short-term solutions of for-
eign currency risk management are different from
long-term solutions of building plants in other coun-
tries. As is evident, correlations among risks and
an enterprise-wide approach are critical.
15
E N T E R P R I S E R I S K A N D C O N T R O L
7/26/2019 IMAToolsTechniquesMay07[1]
19/34
Link to Objectives at Risk or Divisions at
Risk
Identifying risks by objective gives an organiza-
tion the option to map risks by objectives. For
nonprofit organizations, this may be more impor-
tant because earnings per share is not the
biggest concern. A risk map by objective cap-
tures all the risks related to a single objective,
helping the organization understand the broad
spectrum of risks facing that objective. For exam-
ple, the objective of maintaining the corporate
reputation at a certain level could have many
risks to be mapped. Using such a map, the
organization can see the biggest risks to reputa-
tion. Similarly, risks can also be identified by divi-
sion, which may be more informative for division
managers. Organizations can generate risk
maps for each division and for the organization
overall.
Residual Risk
After organizations assess risks, they should
also consider any related controls so that the
residual risk is known. A residual risk is the
remaining risk after mitigation efforts and con-
trols are in place to address the initially identi-
fied inherent risks that threaten the achievement
of objectives. Risk maps can show overall risks,
or they can be shown with just residual risks.
Understanding residual risk can provide major
16
E N T E R P R I S E R I S K A N D C O N T R O L
Probability
that Annual
Loss will
Exceed AmountShown
$0.00 $6.18
Annual Loss Amount
1.10
1.00
0.90
0.80
0.70
0.60
0.50
0.40
0.30
0.20
1.10
0.00
90%-$0.30
80%-$0.48
70%-$0.68
60%-$1.13
50%-$1.15
40%-$1.50
30%-$1.98
20%-$2.7310%-$4.28
Note: All loss amounts are in millions of dollars.
EXHIBIT 9. GAIN/LOSS PROBABILITY CURVE
7/26/2019 IMAToolsTechniquesMay07[1]
20/34
benefits because companies do not want to over-
or under-manage a risk that may be deemed by
management and stakeholders to be tolerable
or acceptable relative to stated business objec-
tives. This is a major reason why some compa-
nies adopt ERM and try to understand, even
qualitatively, the return on investment (ROI) of an
ERM program. In the process of identifying risks
and controls, the management team/process
owners clearly play a leadership role, but there is
a system of checks and balances in the con-
trol environment. For example, the control envi-
ronment for internal controls over financial
reporting includes the audit committee as well
as internal and external auditors.
Validating the Impact and Probability
Organizations can validate the qualitative
assessments of initial impact and probability by
examining historical data to determine the fre-
quency of events or the impact such events have
had in the past. Events that have happened to
other organizations can be used to understand
how a similar event might impact your own orga-
nization. Gathering such data can be time con-
suming, but it has certain advantages. Knowing
the real frequency or likelihood of a major drop in
sales, for example, can provide an organization
with the information necessary to make informed
cost-benefit decisions about potential solutions.
17
E N T E R P R I S E R I S K A N D C O N T R O L
Risk 1
Risk 2
Risk 3
Risk 4
Risk 5
Risk 6
Risk 7
Risk 8
Risk 9
(Cents per share)-0.90
-0.70 -0.50 -0.30 -0.10 0.10
0.00
0.30 0.50 0.70 0.90
1.00
EXHIBIT 10. TORNADO CHART: EARNINGS VARIABILITY BY SAMPLE RISKS
7/26/2019 IMAToolsTechniquesMay07[1]
21/34
Gain/Loss Curves
Gain/loss curves are useful tools because they
help an organization see how a risk can influ-
ence its financial statements and result in a gainor a loss. Furthermore, gain/loss curves also
reveal the distribution of potential gains and
losses. Gain/loss curves do not show correla-
tions between risks, however, and they do not
show all the risks in one place. A gain/loss curve
is presented in Exhibit 9. The curve shows how
much money the company loses or gains from a
specific risk. The horizontal axis represents dol-
lars, and the vertical axis represents probability.
The sample curve in Exhibit 9 shows that the
organization loses $1.15 million dollars on aver-
age (at 50% probability in this illustration) as a
result of this risk. Moving along the probability
scale shows that, 90% of the time, this organiza-
tion loses $300,000 because of this risk. The
organization believes it loses $4.28 million
about 10% of the time. Knowing how big of an
impact a risk causes over a distribution of prob-
abilities provides management with the informa-
tion necessary to decide how much money to
spend managing the risk. Gain/loss curves can
also reveal that some risks occasionally gener-
ate gains instead of losses. Developinggain/loss curves can require substantial data
collection, and a company has to balance the
data collection efforts with the benefits
obtained.
Tornado Charts
Similar to gain/loss curves, tornado charts
attempt to capture how much of an impact a risk
has on a particular metric such as revenue, net
income, or earnings per share. Exhibit 10 shows
an example of a tornado chart. Tornado charts
do not show correlations or distributions, but
they are valuable because executives can see, in
one place, the biggest risks in terms of a single
performance metric.
Risk-Adjusted Revenues
Risk-adjusted (or risk-corrected) revenues allow
management to see how revenues could look if
18
E N T E R P R I S E R I S K A N D C O N T R O L
Actual
Revenues
Risk-Corrected
Revenues
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
EXHIBIT 11. ACTUAL REVENUE VS. RISK-CORRECTED REVENUE
7/26/2019 IMAToolsTechniquesMay07[1]
22/34
risks were managed better. As Exhibit 11 shows,
risk-corrected revenues are smoother and more
controllable. On a broader scale, Exhibit 12shows one companys view of how better risk
management affects the distributions of earn-
ings. A tighter distribution of earnings could
potentially lead to improved performance of its
stock price. The two types of analysis shown in
Exhibits 11 and 12 are why some companies
want to implement ERM. While stakeholders
(e.g., investors) appreciate growth in earnings,
they also appreciate some level of stability and
predictability and are often willing to pay a premi-
um for these attributes.
A Common Sense Approach to Risk
Assessment
While some of these risk metrics and tools may
seem difficult, a simple approach can yield
equally good results. One approach is to meas-
ure where the company stands today on a risk
issue. After implementing risk mitigation tech-
niques, the company can reassess the risk
issue. Of course, not all of the improvement
related to a risk can be traced to the risk mitiga-tion techniques, but improvement is still valu-
able. One major retailer uses this approach to
gauge the value added from their ERM efforts in
addition to other value-added metrics. This retail-
er identified inventory in-stock rates as a risk.
Measuring in-stock rates over time gave the com-
pany a good feel for the historical levels of in-
stock rates. Next, after implementing risk mitiga-
tion efforts, current inventory in-stock rates were
captured. Improvements in in-stock rates are
traced to improvements in sales and, ultimately,
to value added from the ERM process.
Probabilistic Models
Some organizations use quantitative approaches
in ERM that are built on traditional statistical and
probabilistic models and techniques. The disad-
vantage to these approaches is that they require
more time, data, and analysis and are built on
19
E N T E R P R I S E R I S K A N D C O N T R O L
Earnings
Inherent
Distribution
Distribution after Risk Management
EXHIBIT 12. GOALS OF RISK MANAGEMENT
7/26/2019 IMAToolsTechniquesMay07[1]
23/34
assumptions. Furthermore, using the past to pre-dict the future has limitations even before other
explanatory variables are included in the sta-
tistical prediction process. But some organiza-
tions still find these models very useful as a tool
in their solutions toolkit when approaching risk.
One technique focuses on earnings at risk,
which are determined by examining how earnings
vary around expected earnings. In this approach,
variables are examined to see how they influ-
ence earnings, such as determining the influ-
ence that a one-point movement in interest rates
would have on earnings. Similarly, expected or
budgeted cash flows can be determined and
then tested for sensitivity to certain risks, yield-
ing a cash-flow-at-risk number. As Exhibit 13
shows, some companies trace the earnings-at-
risk to individual risk sources. Knowing the actu-
al root cause or source of the risk helps to man-
age it more efficiently. Companies can also tracethe earnings-at-risk to business units to help
gauge the hedge effectiveness of each business
unit (see Exhibit 14). Knowing which business
units have the greatest risk is valuable informa-
tion. With this knowledge, a company could com-
pare a business units earnings level to the
earnings-at-risk. Those units that generate low
earnings and high levels of risk may not be desir-
able business units. Having earnings-at-risk in
the aggregate allows an organization to see
which months have the greatest risk (see Exhibit
15). Also, distributions can be created that esti-
mate the probability of meeting earnings targets
(see Exhibit 16).
Seemingly Nonquantifiable Risks
Some risks seem to defy acceptable quantifica-
tion, but a deeper look can reveal valuable infor-
mation. Reputation is a risk that has become
20
E N T E R P R I S E R I S K A N D C O N T R O L
Total EaR by Risk Category
(100% = $35 million)
Commodity
PricesForeign
Exchange
51%
Interest
RatesCommodity Contribution to
EaR by Major Commodity
(100% = $16 million)
32%
17%
35%
30%
25%
20%
15%
10%
5%
0%Chemicals Precious
Metals
Natural
Gas
Agriculture Other
Commodities
Foreign Exchange Contribution to
EaR for Major Currency
(100% = $26 million)
35%
30%
25%
20%
15%
10%
5%
0%
Euro Yen Canadian $
Other CurrenciesMexican
Peso
EXHIBIT 13. EARNINGS AT RISK BY RISK FACTOR
7/26/2019 IMAToolsTechniquesMay07[1]
24/34
21
E N T E R P R I S E R I S K A N D C O N T R O L
$40
$30
$20
$10
$0
-$10
-$20
-$30
-$40
Earnings at Risk
Contribution
(millions of dollars)
Business Unit 1 Business Unit 2 Business Unit 3 Business Unit 4 TOTAL Diversification
Benefit
Natural Earnings at Risk
With Hedging Earnings at Risk
EXHIBIT 14. EARNINGS AT RISK HEDGE EFFECTIVENESS COMPARISONS
$70
$60
$50
$40
$30
$20
$10
$0
$ Millions
January
February
March
April
May
June
July
August
September
October
November
December
SummaryByMonth Distribution or Annualized
Earnings Outcomes
25%
20%
15%
10%
5%
0%
$545Equalstheearningscorrespondingtothe95% CI
$670Equalstheexpectedorbudgetedearnings
Earnings($millions)
ExpectedEarnings Earnings atRisk
$125
EaR equals
thedifference
EXHIBIT 15. EXPECTED EARNINGS AND EAR
7/26/2019 IMAToolsTechniquesMay07[1]
25/34
increasingly important in todays business envi-ronment, and it must be managed. At first
glance, some executives would say you cannot
quantify it, but it can be in some ways. In acade-
mia, for example, a universitys reputation is a
prodigious risk. Tracking a drop in contributions
after a scandal can provide preliminary data that
could lead to the ability to quantify reputation
risk. Ranges of decreases in contributions could
also be developed, with the maximum risk being
a major decrease in donations. Gathering data
from universities or other nonprofit organizations
that have experienced a drop in contributions
can provide valuable external data that could
assist in quantifying this risk. For public compa-
nies, the impact of reputation risk could be
examined by studying decreases in stock prices
surrounding an event that damaged an organiza-
tions reputation. It is important to note that
while this might capture and provide a quantifi-
able risk, it still partially ignores the damage thatreputation events have on supplier or vendor
relations. It also ignores how future customers
might be influenced by the reputation event.
Although these related risks might not be quan-
tifiable, they highlight the importance of having
an ERM team study and analyze risks very close-
ly so that conversations about the risks are
focused on managing the risk and not just on
identification and measurement.
Another example of a risk that appears nonquan-
tifiable is a breach in IT security. Examining the
movement in stock price around the event, how-
ever, can help a company gather a preliminary
estimate of how shareholders view the event.
Additionally, talking to other companies that have
experienced IT security breaches can help the
company understand the potential impact.
Finally, understanding the organizations unique
22
E N T E R P R I S E R I S K A N D C O N T R O L
$0
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Cumulative
Probability
$545
Level of earnings
corresponding with EaR
$640 $670
Expected
or budgeted earnings
Earnings
($ millions)
Probability
ofa Specific
Outcome
25%
20%
15%
10%
5%
0%
Interpretation: There is a 30%chance
that dueto all risks earnings will
fall below $640 million for theyear.
EXHIBIT 16. PROBABILITY ASSESSMENT OF EARNINGS OUTCOMES
7/26/2019 IMAToolsTechniquesMay07[1]
26/34
method of creating value for its customers can
also offer critical insights regarding the impact of
the breach. Companies that have customers who
value trust and confidentiality, such as financial
institutions, should estimate a greater impact
from a potential IT security breach.
A major electronic retailer may determine that a
key risk to sales is a change in gas prices. The
retailer relies on consumers having discretionary
income, and higher gas prices lower discre-tionary income and decrease the retailers sales.
The effect of gas prices on sales can be calculat-
ed and potentially planned for in advance.
Another example is the risk of weather related to
a snow machine companys sales. Guaranteeing
a rebate to customers if the amount of snowfall
is below a certain level can increase sales in
years with low snow fall.12 These examples
show that while not all risks can be quantified
with a sophisticated technique, valuable risk
assessment and management can still be
applied.
VII. PRACTICAL IMPLEMENTATIONCONSIDERATIONSThe implementation of ERM depends on a num-
ber of organizational variables and no specific
recipe is available to assure successful imple-
mentation in any organization. In this section,
however, a number of practical considerations
are discussed that may provide helpful insights
in the implementation process. These include:
ERM infrastructure, ERM maturity models, stag-
ing ERM adoption for early wins, the role of the
management accountant, ERM education and
training, technology, aligning corporate culture,
building a case for ERM, and the ROI of ERM.
ERM Infrastructure
Implementing ERM can take many shapes. Some
organizations have only one person in charge of
risk, while others employ a large team. Both
approaches have advantages. With a large team,
more resources and people are focused on the
effort. Having a small ERM staff, however,
encourages the organizational units, manage-
ment, and employees to become highly involved
and share responsibility for ERM. A common
approach is to have a moderate number of peo-ple on the ERM team to facilitate risk work-
shops, help executives and business units
understand their risks, gather data across the
organization, and assist in reporting risks
upwards to senior executives and the board.
Broad representation, objectivity, and a look to
the big picture are keys. Although many
approaches to ERM are found in practice, com-
mon elements include:
CEO commitment (tone and messaging from
the top),
Risk policies and/or mission statements,including adapting any company risk or audit
committee charter to incorporate ERM,
Reporting to business units, executives, and
the board,
Adoption or development of a risk framework,
Adoption or development of a common risk
language,
Techniques for identifying risk,
Tools for assessing risks,
Tools for reporting and monitoring risk,
Incorporating risk into appropriate employees
job descriptions and responsibilities,
Incorporating risk into the budgeting function,
and
Integrating risk identification and assessment
into the strategy of the organization.
23
E N T E R P R I S E R I S K A N D C O N T R O L
12 Stephen W. Bodine, Anthony Pugliese, and Paul L.Walker, A Road Map to Risk Management.Journal ofAccountancy, December 2001, pp. 65-70.
7/26/2019 IMAToolsTechniquesMay07[1]
27/34
ERM Maturity Models
Once an organization has implemented ERM, anappropriate question arises about the progress
being made in ERM. As a result, a number of ERM
maturity models have been developed. One orga-
nization categorizes ERM development into three
phases: (1) building a foundation, (2) segment-
level ERM, and (3) enterprise-level ERM. Each
phase is broken down into three stages, shown in
Exhibit 17. Phase 1 involves building executive
support, building the core model,aligning expecta-
tions, and developing segment-level risk manage-
ment commitments. Phase 2 covers executing a
consistent risk framework, engagement in specif-
ic areas and by segment-level personnel, and
demonstrating the tangible value of a disciplined
process. Phase 3 includes connecting segment
risks, enhancing coordination and integration, and
deepening risk management focus. While
described for a multi-billion dollar entity, this
approach is scalable to organizations of any size.
Maturity models do more than inform a company
of its progress in ERM. They can influence a com-panys rating from rating agencies, too. Standard
& Poors now applies an ERM maturity model to
certain companies and industries, such as the
insurance and banking industries as well as
some energy companies. Consequently, ERM
implementation could eventually impact a compa-
nys cost of capital and capital adequacy. For
example, Standard & Poors evaluates an insur-
ers ERM practices by considering the risk man-
agement culture, risk controls, emerging risk
management, risk and capital models, and strate-
gic risk management. These lead to an ERM
score of weak, adequate, strong, or excellent.
Staging ERM Adoption for Early Wins
ERM implementation is a change management
project in which an organization moves to risk-
informed decision making. The goal is to improve
the confidence of decision makers through a
24
E N T E R P R I S E R I S K A N D C O N T R O L
Phase I:
Building a Foundation for
Business Risk Management
Phase II:
Segment-Level
Business Risk Management
Phase III:
Enterprise-Level
Business Risk Management
Phase Objectives Build executive-level support
Strengthen core team and operating model
Align expectations through a risk management
commitment process
Develop segment-level risk
management commitments
Execution of a consistent risk management
approach across all segments
Engagement in specific areas to help the
business remediate significant risk issues and
fulfill their segment risk management
commitment
Segment-level personnel at appropriate levels
engaged in the risk management process
Demonstrating the tangible value of a
disciplined risk management process within each segment
Evolve to an Enterprise Risk Commitment and
accountability model by connecting the
Segment Risk Commitments to consider cross-
segment risk issues and interdependencies
Enhance coordination and integration among
Segment Business Risk Services (BRS) teams
to help the enterprise remediate significant risk
issues and fulfill the Enterprise Risk Commitment
Deepen risk management focus on potential
risk issues applicable to all business segments Enhance coordination with other components
of the Enterprise Risk Management Operating
Model that focus on specific areas of risk
exposure
Stage Objectives:
Stage 1:
Awareness
Build Risk
Management
Vision, Strategy &
Awareness
Stage 2:
Capability
BuildInitial Risk
Management
Foundation of
Structure,
Resources and
Operating Model
Stage 3:
Alignment
Align
Expectations
through a Risk
Management
Commitment
Stage 4:
Engagement
Stage 5:
Value
Stage 6:
Operationalize
Engagement in
Specific Risk
Issues to Help
Fulfill the Risk
Management
Commitment
Demonstrating
Tangible Value
from a
Disciplined Risk
Management
Process
Segment-Level
Personnel at All
LevelsFully-
Engaged in and
Operationalizing
the Risk
Management
Process
Stage 7:
Collaborate
Stage 8:
Coordinate
Stage 9:
Integrate
Enhance BRM
Collaboration
Across Other
Segment Teams
to Consider
Cross-Segment
Risk Issues and
Interdependences
Enhance BRM
Collaboration
Across Other
Segment Teams
to Consider
Cross-Segment
Risk Issues and
Interdependences
Enhance BRM
Coordination with
Other Areas
BRM is Fully-Integrated with
BusinessPlanning,
PerformanceManagement,
Quality and OtherKey Management
Processes
EXHIBIT 17. ERM MATURITY MODEL
7/26/2019 IMAToolsTechniquesMay07[1]
28/34
more explicit understanding of the risks facing
the unit. ERM is a journey that takes continuous
commitment from C-level executives and where
implementation cannot be achieved overnight
it should proceed in incremental steps. At the
same time, an organization embarking on ERM
implementation needs to recognize that bad
things can happen to a good project if results are
not forthcoming. Consequently, striving for early
wins in the ERM implementation project is impor-
tant. For example, a major company (after devel-oping its approach to ERM) chose to implement
ERM in a strategic business unit that was
mature and tightly controlled. In this instance,
the company preferred not to roll out ERM in a
unit that it knew in advance had many problems.
The roll out was successful, and the unit was
used as a model to help build momentum for
ERM implementation in other units.
In another company, the decision was to initially
implement ERM with the senior level executives.
This group went through the process of identify-ing and assessing risks at the enterprise level
and developing mitigation strategies. Once mem-
bers of this group were sold on the benefits of
ERM, they became ERM champions and support-
ed its roll out to the various operating units. See
Exhibit 17 for an example of staging an
implementation.
The Role of the Management Accountant
As noted in the first SMA on ERM, the manage-
ment accountant and finance professional can
play a major role in ERM implementation by
championing the process, providing expertise on
the process, serving on cross-functional ERM
teams, and providing thought leadership. Other
key roles include assisting with the quantifica-
tion of risks, analyzing the risk correlations,
developing the range and distribution of a risks
impact, determining the reasonableness of likeli-
hood estimates, benchmarking impact and likeli-
hood against historical events and other organi-
zations, setting and understanding risk toler-
ances and appetites, assessing and quantifying
various alternative risk mitigation strategies, and
quantifying the benefits of ERM.
ERM Education and Training
Some control frameworks outside the United
States mention the possibility of mandating ERM
training. Although formal training on financialrisks is more common, ERM education and train-
ing is being developed. Training needs can
include:
Understanding the nature of riskthis is not
as easy as it first appears if a true enterprise-
wide approach is implemented,
Understanding the legal and regulatory require-
ments related to risk management,
Knowledge of ERM frameworks,
Facilitation skills,
Expertise in identifying risks,
Knowledge for building risk maps, Reporting structures and options (what to
repor t to the CEO, board, and audit
committee),
Software training,
Financial risk training (options, hedging strate-
gies, insurance options, derivatives, etc.),
Refocused strategy training and how risk inter-
acts with strategy,
Building and understanding control solutions,
Developing and monitoring performance met-
rics related to risks, and
Change management.
Technology
Some technology tools are available to assist in
the facilitation/identification phase. Additionally,
software is available to assist an organization
with the entire ERM process. Gartner Inc. recent-
ly reviewed ERM software vendors on two
25
E N T E R P R I S E R I S K A N D C O N T R O L
7/26/2019 IMAToolsTechniquesMay07[1]
29/34
aspects: completeness of vision and ability to
execute.13 Some organizations choose to either
develop their own ERM processes tailored to
their needs or hire consultants to help with the
process. Technology products not only help with
the process, but they also assist with data
gathering, modeling, or reporting. One risk soft-
ware tool, for example, helps with capital opti-
mization and data management. Other technolo-
gy products are designed to help with issues
such as time-series modeling, correlations, andother advanced modeling techniques. Finally, cer-
tain industries have software tailored for compa-
nies in that industry, such as the online maturity
model available for insurance companies.14
Aligning Corporate Culture
Many organizations will notice a change in the
company culture as ERM implementation pro-
gresses. One noticeable difference is a proactive
focus on risks rather than a reactive approach.
Other changes are related to improved accounta-
bility and responsibility. With ERM in place, man-agers are more responsible for risk management
and controls because they helped identify the
risks and controls. As solutions and metrics are
developed to better manage a risk, management
can also be held more accountable for it. One
nonprofit organization mandates management
action plans for any risk over a certain amount.
This increase in accountability and responsibility
can flow down to lower levels in the organization.
An additional change may be from a We need to
comply perspective to We need to manage this
risk to achieve better results. One software
company tries to build a risk management
thought process into the development of all new
products; this effort has resulted in a shift in the
culture and thinking about the role of risk man-
agement. Other cultural changes could occur,
such as a shift from blaming to identify and
managing, a change in do not report bad
news to report as early as possible (so the
risk can be managed), and, finally, from How
does this affect my area or unit to How does
this affect the risks of the entire organization.
Some consultants have developed cultural diag-
nostic tools to enable organizations to assessthis cultural change.
Building a Case for ERM
The New York Stock Exchange (NYSE) has incor-
porated elements of risk assessment and man-
agement into its listing requirements. For regis-
trants with the Securities and Exchange
Commission, item 1A of Form 10-K mandates
risk factor disclosures. These certainly support
a case for ERM implementation, yet a companys
executive management may argue that compli-
ance with these requirements can occur withoutfull-scale ERM implementation. In those situa-
tions, the board of directors may have to ask the
tough questions about the companys risk identi-
fication, assessment, and management process
to get executive management to implement
ERM. Certainly, when executive management
presents the companys strategy to the board or
seeks approval of a merger, the board has an
opening to ask questions about the companys
risk identification, assessment, and manage-
ment process. ERM should engage and educate
the board because the board members clearly
have a stake in the reputation and sustainable
success of the organizations they serve.
As more companies adopt ERM and disclose its
adoption in their annual reports and as Standard
& Poors incorporates a companys ERM prac-
tices in its ratings, other companies may begin
26
E N T E R P R I S E R I S K A N D C O N T R O L
13 French Caldwell and Tom Eid, Magic Quadrant forFinance, Governance, Risk and Compliance Management
Software, 2007, Gartner, February 1, 2007,http://mediaproducts.gartner.com/reprints/paisleyconsult-ing/145150.html.14 See www.rims.org.
7/26/2019 IMAToolsTechniquesMay07[1]
30/34
to feel pressure to implement ERM. The execu-
tive management of one company has noted that
it will discuss the companys ERM process when-
ever meeting with financial analysts. The goal is
to inform analysts that the company is serious
about risk management, and, ideally, the market
will recognize this management capability in its
assessment of the companys future.
The ROI of ERM
When a company has adopted ERM, the case forbenefits vs. the cost and effort expended can be
made by pointing to specific experiences where
managing a risk added value to the bottom line.
A major retailer uses metrics to track the results
of its risk management initiatives. For example,
the company will open many new stores in the
year and must have capable store managers.
From experience, the company knows that one
risk is the turnover of store managersit has
historical data on turnover rates and knows the
cost of recruiting and training a store manager.
The human resources group adopted risk mitiga-tion activities for the turnover risk, established
targets for improvement, and monitored the
results. In time, it was able to show that manag-
ing this risk reduced costs and, thus, improved
the companys bottom line. The leadership of the
human resources group could report to the CEO
that they had indeed created shareholder value
by managing this risk. In many cases, it does not
take a rocket scientist to select appropriate met-
rics to monitor the effectiveness of risk mitiga-
tion initiatives, and, in turn, the impact on the
bottom line. While it would be desirable to calcu-
late a ROI for the ERM effort, such a measure-
ment would be based on many assumptions.
Focusing on the benefits of managing a specific
risk may offer the most persuasive evidence of
how ERM creates value for the company.
VI I I . CONCLUSIONThis Statement on Management Accounting on
ERM, along with the earlier one published by
IMA, provides guidance for the leaders of orga-
nizations to identify, assess, and manage risk
while at the same time growing the business.
Because the risks in the global economy con-
stantly change and evolve, ERM is a never-ending
journey. ERM requires strong commitment from
C-level executives and an effective process tai-
lored to each organizations unique culture. Acompanys implementation can benefit from the
ERM knowledge that Certified Management
Accountants (CMAs) and other finance profes-
sionals can bring to the process. In their quest
to drive business performance, management
accounting and finance professionals should
seize the opportunity to become partners with
senior management and the board in ERM
implementation.
GLOSSARY
IMPACTThe significance of a risk to an organi-zation. Impact captures the importance of
the risk. It can be measured quantitatively or
qualitatively.
INHERENT RISKThe level of risk that resides
with an event or process prior to manage-
ment taking mitigation action.
LIKELIHOODAn estimate of the chance or prob-
ability of the risk event occurring.
OPPORTUNITYThe upside of risks.
RESIDUAL RISKThe level of risk that remains
after management has taken action to miti-
gate the risk.
RISKAny event or action that can keep an
organization from achieving its objectives.
RISK APPETITEThe overall level of risk an
organization is willing to accept given its
capabilities and the expectations of its
stakeholders.
27
E N T E R P R I S E R I S K A N D C O N T R O L
7/26/2019 IMAToolsTechniquesMay07[1]
31/34
RISK TOLERANCEThe level of risk an organiza-
tion is willing to accept around specific
objectives. Risk tolerance is a narrower level
than risk appetite.
REFERENCE LISTBarton, Thomas L., William G. Shenkir, and Paul
L. Walker, Making Enterprise Risk
Management Pay Off, Financial Executives
Research Foundation, Upper Saddle River,
N.J., 2001.Bodine, Stephen W., Anthony Pugliese, and Paul
L. Walker, A Road Map to Risk
Management. Journal of Accountancy,
December 2001, pp. 65-70.
Brady, Diane, General Electric, the Immelt Way,
Business Week, September 11, 2006, p. 33.
Caldwell, French, and Tom Eid, Magic Quadrant
for F inance, Governance, Risk and
Compliance Management Software, 2007,